mirror of https://github.com/MISP/misp-docker
Default to modern nginx security - resolves #50
parent
5083315a00
commit
9d2e722140
|
@ -48,7 +48,7 @@ services:
|
||||||
# Optional Settings
|
# Optional Settings
|
||||||
# - "NOREDIR=true" # Do not redirect port 80
|
# - "NOREDIR=true" # Do not redirect port 80
|
||||||
# - "DISIPV6=true" # Disable IPV6 in nginx
|
# - "DISIPV6=true" # Disable IPV6 in nginx
|
||||||
|
# - "SECURESSL=true" # Enable higher security SSL in nginx
|
||||||
misp-modules:
|
misp-modules:
|
||||||
image: coolacid/misp-docker:modules-latest
|
image: coolacid/misp-docker:modules-latest
|
||||||
environment:
|
environment:
|
||||||
|
|
|
@ -120,7 +120,8 @@ ARG PHP_VER
|
||||||
|
|
||||||
# nginx
|
# nginx
|
||||||
RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php
|
RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php
|
||||||
COPY files/etc/nginx/misp /etc/nginx/sites-enabled/misp
|
COPY files/etc/nginx/misp /etc/nginx/sites-available/misp
|
||||||
|
COPY files/etc/nginx/misp-secure /etc/nginx/sites-available/misp-secure
|
||||||
COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80
|
COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80
|
||||||
COPY files/etc/nginx/misp80-noredir /etc/nginx/sites-available/misp80-noredir
|
COPY files/etc/nginx/misp80-noredir /etc/nginx/sites-available/misp80-noredir
|
||||||
|
|
||||||
|
|
|
@ -123,6 +123,21 @@ else
|
||||||
echo "Configure NGINX | Port 80 already configured"
|
echo "Configure NGINX | Port 80 already configured"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ ! -L "/etc/nginx/sites-enabled/misp" && "$SECURESSL" == true ]]; then
|
||||||
|
echo "Configure NGINX | Using Secure SSL"
|
||||||
|
ln -s /etc/nginx/sites-available/misp-secure /etc/nginx/sites-enabled/misp
|
||||||
|
elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
|
||||||
|
echo "Configure NGINX | Using Standard SSL"
|
||||||
|
ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
|
||||||
|
if [[ ! -f /etc/ssl/certs/dhparams.pem ]]; then
|
||||||
|
echo "Configure NGINX | Building dhparams.pem"
|
||||||
|
openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "Configure NGINX | SSL already configured"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
if [[ "$DISIPV6" == true ]]; then
|
if [[ "$DISIPV6" == true ]]; then
|
||||||
echo "Configure NGINX | Disabling IPv6"
|
echo "Configure NGINX | Disabling IPv6"
|
||||||
sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp80
|
sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp80
|
||||||
|
|
|
@ -17,8 +17,10 @@ server {
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
|
|
||||||
# modern configuration
|
# intermediate configuration
|
||||||
ssl_protocols TLSv1.3;
|
ssl_dhparam /etc/ssl/certs/dhparams.pem;
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
ssl_prefer_server_ciphers off;
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
# enable HSTS
|
# enable HSTS
|
||||||
|
|
Loading…
Reference in New Issue